Sometimes, you hit a policy issue, make non-standard configuration changes or you just need a daemon to work regardless of SELinux restriction. In these cases you might want to switch a domain to be permissive:
# semanage permissive -a <domain>
This simple command creates and loads a module permissive_<domain> with one rule:
# bzcat /var/lib/selinux/targeted/active/modules/400/permissive_openvpn_t/cil
(typepermissive openvpn_t)
From this point, SELinux is not enforced on openvpn_t while AVCs are still logged